Analysis Date2015-05-06 07:04:08
MD50410d9b86399d5fc11e7df2d9b7b5945
SHA1eb5c1e1c0acc6ec38fc683d024fe0c85826b55fd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 6f8cad4f7c6aa6692ffd6ab86ca1319a sha1: d1692ba6d9ad74334221769432f12e5cb8dc61ef size: 435712
Section.rsrc md5: f34106fdc040a00730d45f1f1adf9593 sha1: b09dda91a18caa12549d00eacf541914e6fabe1e size: 6144
Timestamp2009-01-13 02:29:20
PackerUPX -> www.upx.sourceforge.net
PEhash950ae82f236d8d721f53eba674eacf682c26951f
IMPhash6801789d7db148dcab782feacf28ecfc
AVAd-AwareGen:Heur.Codenox.2
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Heur.Codenox.2
AVAuthentiumW32/Risk.WPCT-4020
AVAvira (antivir)TR/Malagent.A.2332
AVBitDefenderGen:Heur.Codenox.2
AVBullGuardGen:Heur.Codenox.2
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Refroso.boka
AVClamAVTrojan.Poison-611
AVDr. WebTrojan.DownLoader.64331
AVEmsisoftGen:Heur.Codenox.2
AVEset (nod32)Win32/Bifrose.ACI
AVFortinetW32/Dx.TAV!tr
AVFrisk (f-prot)W32/MalwareF.MUJN
AVF-SecureGen:Heur.Codenox.2
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Trojan ( 0000024b1 )
AVKasperskyTrojan.Win32.Generic:Backdoor.Win32.Bifrose.aci
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!bcx
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Heur.Codenox.2
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVTwisterBackdoor.4E56337C8AC1F8A2
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MSI1.tmp
Creates Processmsiexec.exe /i C:\Documents and Settings\Administrator\Local Settings\Temp\MSI1.tmp

Process
↳ msiexec.exe /i C:\Documents and Settings\Administrator\Local Settings\Temp\MSI1.tmp

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\12b7f.msi
Creates MutexGlobal\_MSIExecute

Network Details:


Raw Pcap

Strings
KQ
.
>
....w.
.
.j
R3.t
1.KQ
.
>
....w.
.
.j
R3.t
1.
.
f_..
/
ua
.
4
0.
.
.H...W
.
....R
.I.!
.
.
.*...
....
333f3
DATA
f3fff
<&'()*
<+,-./
 !"#$%<
"""""/
%&'()*<
;/0|	,"
: 0,1,
0-100 xd
012345<
0-255,Q=
<)04Ay.
 (,08<
0A~cZ_
0A@@Ju
[0gGgw
0M7p[c
:($0pT
0uIi/:
0Vj,t`
+,-./0y
0Z^22*
(1/12o
1.2.3H
;1;2;4;5;6;8;9
1<2SZy2
16eunq
1,|[9n
1\Hn B
1=K't@
1MV\uBL
$1tOJpU
1WM3v?
1:w}$n
1wPg`M
$""1wV
=\;2|@	
 !"#$%&'()*+,-./@23
_,[= 268435
2ation
'\2AtoW
2c]/YW#
>2Dv]M
2(_gV,h
2j[c/yb
`+2{?K
!2k)uS
$2@N\k
\2Nm fx	
2P5d5t
2Pj?\c
2TICDz~
2u=qK3:
\~?_2X
32-08w0gs-
"35#HF
3:5w YA
*3#8yX5
'39OCM
3];B*#
3I?>k 
%3K3j3
3>RJ%6
3uBl{^
44DL@P`
456789:;<=>?@ABCDEFGHIJKLMNOPQRS
4"6FVd
{4C231858-2B39-11
\ 4dFHI
4~f9.u
&4*g\1
4;g%@<r
4mX=HR
4MzyJz
4o|9jV)
4_Tefp8
4W5a5s5
>4_{?Y
56789:
5d*M[P6
5j R_2C
5q9x;W$
5'svck
5{`?u$a
5VIWk[0
=|5W0h
<6789:
69_417D_A47
6A:%<4
6cy~r"$
6/?#;*H
6(i4gK
6"ntac
6yj L\)
6&%yV"
702DEE5
7<43OZ
7&71767>7C7K7P7X7]7e7j7q7}7
780ACE1}
7{D0D5A8~2C5
7%fGj(
7Hlld66g`*
7J3&0K`olh(WQMs 
8<{	?*
`";82^E
85D60R900$}Q
882i~N
8C;"<1Hu
8:f\'-
8F_28D6_4590_A991_
8i$8)n
8IDvo*=
8j!S0u(
8Jx1*d3
8N\)2]
?8N8x8
8NcCI6D
8NSUWs
{8RQ<b
8sSgU 
-936*2
95-4D5
9":):6:=:
9~8}v=
$9999(,04
9BA1A655B5D9
)9"IFrt
9ininin%
9IsBbupgv
9M?~n(
,9)q	e
9sb=LbcM)
+9T^/d
9U@p,X
`%A 3(M
.?A8$.
<_`abc.
`abcde<
@ABCDE<
ac S^tV
AcWoCe
<<Ae/KX
A:E!ul
a-!FT1
A@,F;U
ag\mRh4L
aKP[)t
amt	oOi
AndrXS
aO,5+5
A!oYV>`
A$p(9H
@'-ar1P
arrpViw
<assemblyIdentity version="1.0.0.0"
</assembly>PAD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
ASU|%#
a.t2mpt to 
AtT3XG.g
=aV,IN
a_We[y
aW\y`K
axKeyi
b/: ,.?
b+$'.?.~
* B,&$
_B3D13F97_
B4C42B829328{
B4FhD&B
b4)/%i
b(7~AI@
B9F8DAB-3 F-4EB-BED
!B	aei+
b\<CI=
$Bf<+['
;;B&F7B
bF>&D_
b_+gJ4
BR( o.k
bVF|b^
;B[!vI
bvLEaB
b!X  =
Bz>b~1
.^BzUW
C'|]\/
C)_}!<
C04F6837D0}0
c~3dcqZ3
:C=3iWq
c4rr*~
C5BE0"
C<@8&f
c9C#Qp
|CCc&f
'{CDFF8FB
!c?}f4
cf;m3b
Cgm]@e4:
cHQ$TRp
{C,ICO
c*j/m;
c*Ne-o
CorExitProcess"mscee
CO~UT$pww
`cpN|<
"^cqKz
/$-Cti
c;uBK~_?.
c"UIFAr.-
.Cwg.q0;I
cwYTexk
c}X\,"
cX_xnJh
cycH!D
c~}YNl
,<cYt^
*C{Z3N)
&d''].
+?D{)	
'&d1w7`;*
D3-8E0D-
"d7Mb)
DB{*e-
<description>msi2exe</description> 
'>D?iK
.DIRCA_TARGET
djaFl]
DjO	4>
DMDCOM	kx
.d?&O1G
$|doe]
DO%[EG
DPj_XVY
,d>rd=R
(ds5m2
D%[WPq
dz.wg$
(E/:<:
E1*R>6
e'[2]'0
e4r^}q
_E4)V'
~&'E6L
e'Bm8\
eBoxbUSER[
ec\%3A55
E&D 54
E(?(E8B
eEM!ZPM: q
E>%-^F
EG]gXW
e})h6ZePGg
eig ke
ej6(si
Elehmd
eL.JO=\Q
ELYxVw
em|I#2
EMMw5f
EndPaint
EnVdeP
<-EoN/@
ep5 kJT
eP]]9i
eq^hv2
}E.*)U
&Evboq
EWC`C~
ExitProcess
`F1Pr	
`}f>2p3
F2X_-k
F3H4P\c
f5w)tW
$FC<j}]
<fghij
<FGHIJ
fH X?FT
fjN'VI]
|FlushB*
F'%;	n
f@]NSA
fN:$Y`
F_'rD0
{Ft/Ob
FU	9?'a
F]U%ST
||FwEK
fw_og7
F(X@5ZO
@F<Yv8
*,FzI	
G*46SI
GDI32.dll
GENERIC
GetProcAddress
GJn)NV
:{g*?m
gr{Re/
g"tniv
G.,u5_
;Gui.P&
#*guQs
GVX{&99L
GW-yKc9
gY>{,c^
GYqQ&j
GZ~Bad
h1 oL4Lj,
}>h2|`
H7ARng
Ha/$s_`
 has m
`!HaVc|K.
HA(v^j
hegory
H;er 8^
$hfv|%
h,	=h-
HH:mm:
|*HhTK
 Hie2chy D
H&nL$1
H[nzFF3x|
&HpBIl
H&}~RA
HRAq""
"hrOO/
ht`Bw6Ug
$--Hv^
hwujjM
HzLg?2
`'i;]0
I8p,_3
 Ib!7)?<
; *iC*
^IdD)I
;IdoDe
IeU;Z`
i-H9.9
i}IE^ft
IJKLMN
I')L{3
IMO.2=
ir=4iE
irstuv
?i.sSBh
<IT[_OLE
I(&<,VI_
ivkb|7X
IVSbfw
iw{n/=
Iy	.vPc
|']j,[
J1.d }7;>
J3Q`hL
j^:524J
?j6$\p
j8j ^V
Jb1\\_^
JbVquE%
}-/JELCW
jF$W`Z
jgk_ePh`
,JhXvt
Ji/PE9
-jj`~_
jLY^=W
JNU#7\
jOM}[i
]jp-s:K
Jr5`j}=
(JT4.'!
J T7/h
jtO4m64
 JUS(`
,J#v;#
J:VRzbm
`(-+K:
k$0"[1
:K|2t-R
 <K{56
KAu-W|
}kdO`T
KERNEL32.DLL
KERNEL32.DLLDe
kEw"l/
kGuTF=>
K"h7he
KhNF:Io
kix)c_wkT
k&jlRB
`Kj_R[
klmnopy
KLMNOPy
Km|0~+
KMR[g]
_K'N$z4O
ko=>#X
+k p>vz
;$Kqh	[
}k$s'Wed
kw\`R;
kW?@w;
k/Z7U( 
\l12'<k
!L3BUS
l46eqY~
L8kB~|
l9[UFhL
La1<%Qa
la!|7y 
>lB>^u,
lc	`dB8
>LCMap
Lc	r3P
>;?@?L?c?r?y?
=LCtXw!
Ldqt7n
  Leav 
!le{e0
lg &D/
lH~&HB
l/mV p
LoadLibraryA
LOCAL_
LomS>c
<l P][
l\R~4lf
Lv~hM%_,
{~, M 
m_BU6~Bn4
MDAAVpw
>!Mh&&
m&Hfni9
MIHhj6
MIME_	
.mixcrt
mJ0DtP(
MKD#[%
mM'1dU
mnNH9Min4uf
M-ondm.E
Mon!Su
mOS+Ig
MO~w$2
MPSTw0Q
.,mRdV=8
,m~_s*
\msic+`
M:$'v4
MWqajn
;N7Kg$
N9YmK(
	name="msi2exe"
NA[N=*
NBKl\3
N(/clr)<
neAprilMw
nfJ~B$p
nfJHM]G
/n$h5^
N*_Hb	
NLY`#V;I
:n|'&n
*n >NeZ
nNvqw*
N{o"HY
NOMO7R
^nopqi
NP@>Q1
nPv`~p
&~}nS\|
n ,SLi&#`
n[!=T4
nTi<>8
N?W`em!
ny	KD@,=
NyM8EnK
Nzm{CM`r>
/O2Hp>1+
O=^52&
o74%`u
<}O8Ff
"|?o;En
OfdPh 
*o<GEu
^o\){h]9
Oh;BsRBN
\^o{H.E
ointer
o?j%Bv
oJ/v,z
oK5[5C
oLLLLL
OMA$#R6034
oOORL4
,+oQHmo
orV*66
Os"iciL
OT6ZA5
OU\_IA
OUj?a{4&
OutpuPE
]`>Owps
ozR1ML
@oZ{V0l
p2s[S;7|G
	|P@4E
+-p6My
p=>B<IA
PB@NX,
Pc)n00c
<pd$U8IA.?r
~pGK<t
P"=H8b
p%{H*P
,p?jg`8O=
pKe)6\Y
pnY'lx
PP"t(0
pqrstu<
PQRSTU<
	processorArchitecture="X86"
Pr% ~Z<
&pSC!aq
pt)Augu
p[yrP%
p'ys-#}
PYyF-s%|P
]p zvs-
Q}-0pG
,q<[2w\
Q4vT=tU
q80]	O%
Q8AlPf
q9hXH;
QavX@;l1
qDH	7CR
QhBC~t
QHi1=J
qJz	U=
QLzQAk
q^mu,wm%C
qmXjLW
Q!n7.Ga16
Qot17w
Qo:uyMt
)qqD7$)M
qQ*NR7
?Q{Sr>
]~QTMq
q y^g/#
<qZAFH
qzGAIEBi{qlt
qzXphk
R0'P* K
r1!_Z#
R2s?p%
R49]B'
R8rc<B
R+ai$>
R%+~bS
-RDY28
            <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
         </requestedPrivileges>
         <requestedPrivileges>
RkjmA/
r;Lb&:M
rL pb 
Rl=,Sn
rm%&TW*
&R:n'le
[R.@pV
RrApDG
Rtlwi%
ru_x}N
RUYdr 
,Rwy$P
rx4g"=>H
R<yN(I
RZ%S}18
%}	#s	
S0[9~mZ
'S~1|~
s4lgvEq
S6B%3q
s[Cy>%
s&cZI;
s:d^?-
SD@%|`
*S?[E:&
SE0"l4
      </security>
      <security>
@S$_[FT
;ShPtcu
siC"f+
SIUzqK
@}Sj@(/
!Sl&>9X4
SL)b>*
sNOT REMOVE~=
#SpybI
SqcX4\
SQX7Ie
s%R,\y
*s_sdR
_(s&Unp+
SW)UO,
SZu^m@
T0"Qg+-@
_T263k
t)^2SL
T2&_TZ
t9R"NH
"t^9(uZ
tC|C K
T^&d%er =
"t+DPI,
}(T]ea
tEL_.%
TextOutW
!This program cannot be run in DOS mode.
^t(h>r
T;izx5
t_jhd,#t
TJXYZ[\]^_`
TlGGA|H@pl
TLOSS#
TM[s~)
;(\&t N
Tp=-h0
-TqA\G
tQlB	>$
'True'
   </trustInfo>
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
ts=P'/*
t	Tt6D
t+ucH{
Tuw9a$QD1
	type="win32"/> 
tznayiB!BOqhf+2
@$t"zo
;TZ}oox1
u63^<y
u8SS:>
u~)`]A
Ua;\Js
U^D?	`
<u{\fJ
uf^wKL
	u(H')
U(h:,J
uk^)qdkmA
UQEp!_P
URPQQh
USER32.dll
Us,';q
UtY*UG
uV}QC9
:uvwxyz{|}~
uxRQe<
U@XY]Y[
)]~UZ&
U	Z6~i
UZ*9u7
)u;Zw%
_@V@?(
V`2HBo
v:[5S_
V9M@PX16
V+bUPh
vD9z+7
V&<^G?
v|?)gO
vh;Vhs#Lan
v;I&lH
vi,RaE
VirtualAlloc
VirtualFree
VirtualProtect
vjv(!s
>`Vk ~
vkIa7-
vM.Modh,
vo*/_*
vPDFq0
v;PgR/S
vRBL`@
Vsd0.B24
;Vv	N+0
vwbM{ 6
V@%}W)H
v#WhPI
<vwxyz
<VWXYZ
W,6%2n
\W` <8g
=W 8We
wAB3roN
{/"}Wb
?wElDj>
wgF?sW
#wHbG2d
Wh>Hif
:W|M5>
w| mXc
w})pEk
W=po*>
_W_!Pu#
`~,WP-YP
W{ Qi*
W=Qw:?
wr""/p
wruhimQa
w%T7jB
) |W<Vo
wv#..S
wwwwwwww
wwwwwwwxp
W;xiVt
wxr""/p
wxyz{=
wzmHeZ
!,%+X~
^x1j<8
x,(48b:M
-x\5;u
=XB^t6
X\`dxW
XgH7;B
XjFmj2:
xLoru9DO
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xoDBjZ
	x+ok3
XPTPSW
xRitpy
xWyeV0
xx(vt}
x]YBoc
%x'zY)_
 !"#$y
;<=>?@y
[\]^_`y
y!"#$%
y%&'()
y12345
y3*BXI
y4&RN$s
Y9(2>+
ya]4mD
yabcde
yABCDE
YD1N/;
}Yl<gz
ylhd`\
YM-ONy
y;ODBCpsEc
 yotW. Ip
yqrstu
yQRSTU
#=yqw	
yR^4/H
Y]'r{D
YR_#=W
*y~T[D
Yy#&P3
YZ[\]^<
;_}YZG
Z0xG.N
-z+3{c
Z?9L5)
z)dbBn
z`en%W
;zFw4V
"zgRdl
!z?If?
z^L|}+BE
zO/|MJ
z	_*OT
,!zPSq
z&qz;>
Z~VMwam
((zvx0j
z[YfP"
^zz111
^zz1111
^zz1111M
^zz1111MM
zz1111MMM